Mozilla has temporarily disabled Microsoft’s WPF plugin for Firefox in order to protect users from a security vulnerability that was recently uncovered in the component. The vulnerability can be exploited when users visit malicious Web pages that contain specially crafted XAML content.
Microsoft issued an Internet Explorer patch to fix the vulnerability through its Windows Update mechanism on Tuesday. The IE patch is said to fully resolve the vulnerability for Firefox users in addition to users of Microsoft’s own browser. Mozilla is concerned, however, that not all users have performed the Windows update yet. In order to protect users who are not yet patched, Mozilla has added Microsoft’s plugin to its add-on blocklist, causing it to be automatically disabled by the browser.
Mike Shaver, Mozilla’s vice president of engineering, described the security problem in a blog entry posted Friday in the official Mozilla security blog. He explains that Mozilla decided to block the plugin when Microsoft suggested that users should consider turning it off until the efficacy of the fix has been fully confirmed. The related .NET Framework Assistant add-on was initially blocked too, but Mozilla removed it from the blocklist when Microsoft later confirmed that it was not vulnerable.
“Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism,” he wrote. “Microsoft agreed with the plan, and we put the blocklist entry live immediately.”
The plugin generated controversy earlier this year because Microsoft surreptitiously injected it into Firefox via a Windows Update, without prompting or notifying users. In response to criticism from Firefox users and concerns expressed by Mozilla itself, Microsoft released a tool in June that users could run to uninstall the plugin.
Adding the plugin to a blocklist seems reasonable in light of the risk that this security vulnerability poses to users, but it’s a very blunt weapon. Microsoft apparently doesn’t properly maintain version numbers in the plugin, so Mozilla has no way to selectively target the block to the insecure version. This means that the block will affect users who have already updated to a safe version of the plugin.
One of our readers submitted a report in Mozilla’s bug tracking system requesting that the plugin be restored for users who are fully patched, but there’s currently no way to accomplish this. Mozilla has implemented a feature in Firefox that will allow users to manually override the block for individual plugins, but it’s unclear when this feature will be deployed. Although it’s likely that it will go out soon in a Firefox update, users may have to wait for its arrival (or dive into about:config and disable the entire blocklist mechanism) if they want to use the WPF plugin.
Plugin security vulnerabilities are a major problem for browser vendors. These bugs are especially tempting as exploit targets because they often affect multiple browsers and provide a bigger audience of potential victims. In response to the serious security vulnerabilities that have been found in Adobe Flash and other popular plugins, Mozilla launched a new plugin check service earlier this month that will help users determine when they need to update. The recent problems with Microsoft’s plugin demonstrate the importance of this sort of vigilance.